056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b

General

Target

056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
Size

1.1MB
MD5

c3ae67eace438bcafeffff5d732e9bb9
SHA1

f053e9faee3766ff8f174f53ac7b30bd4b73c0a4
SHA256

056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b
SHA512

9b7e9b8d7f2423c522cd4281b2c625aeb903587aca0d160bf39481b3bcc654ba4c10b1d553ed3c5fc3d00bed77e7bc9147b455f355cd6cf2a75985ba1c2635bc
SSDEEP

24576:iio2C4Tz86EE1by3swR9HrwNmojHuD/bsytUltKo+5+VYrle5sh:k4TzJJm9R9kFTSbNtkwo+5Vrle5Q

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

description	pid	process	target process
PID 2012 set thread context of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

pid	process
1252	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
1252	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
1252	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
1252	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
1252	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

description	pid	process	target process
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
PID 2012 wrote to memory of 1252	2012	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe	056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe

C:\Users\Admin\AppData\Local\Temp\056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
"C:\Users\Admin\AppData\Local\Temp\056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\056ed3b3c729e66ce98f15217f045d54ef75a8440d9fda056d491a84d563d92b.exe
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1252-54-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-55-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-57-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-59-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-61-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-63-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-66-0x000000000044E28C-mapping.dmp

Download
memory/1252-65-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-68-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1252-69-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-70-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-71-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1252-73-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads